The challenges of the GDPR for the debt collection industry – what you need to know

By TCM News, Publisher | Oct 25, 2018

HEVERLEE, Belgium (TCM NEWSROOM) – How has the GDPR affected the debt collection industry? We take stock three months after implementation.

Europe’s General Data Protection Regulation (GDPR) addresses personal privacy issues by limiting how personal data can be obtained, stored, handled, and transferred to other parties. It came into force on 25 May 2018 across all EU countries and the European Economic Area (EEA), of which Iceland, Liechtenstein and Norway are members.

The main features of the GDPR for debt collectors – what you need to know

Legitimate interest

Processing data for debt collection purposes is based on the legitimate interest of the controller or third party (see article 6f of GDPR). In the debt collection context, a creditor clearly has a legitimate interest and can thus transfer data to a debt collector.

Data controller

Article 4 of the regulation distinguishes between “data controllers” and “data processors”. In brief, a data processor “processes personal data on behalf of the controller”, while a data controller “determines the purposes and means of the processing of personal data”.

Belonging to either of these two categories has important consequences. Essentially, the “data controller” is responsible for his or her own actions. In the case of “data processor”, however, it is the upstream “data controller” (i.e. the person who provides the data or provides access to the data) who remains the responsible party.

Debt collectors seem to belong to the “data controller” category because they receive data that (1) comes with instructions to collect the debt attached to the named person or institution and (2) is subject to the GDPR. Such instructions require autonomy on the part of the collector as to the means employed and the actions taken. Indeed, during the collection process, the debt collector usually enriches data provided with new information (e.g. by adding a new phone number or address and updating the debtor’s financial situation).

In contrast, a “data processor” does not have autonomy in terms of what is to be done with the data. He or she typically receives limited instructions such as “send a letter with this text to that address.”


Data controllers have various obligations such as

  • limiting data handled and stored to useful information (e.g. information on name and address but not on religious affiliations, health status, race or ethnicity)
  • securing data (i.e. no access to unauthorized parties)
  • ensuring secure data transfer (e.g. a common email could be considered as insufficiently secure for transferring data);
  • ensuring private data is not transferred, disclosed, or sold unless there is a legitimate reason and legal obligation for doing so
  • informing persons (“data subjects”), upon request, about their personal data as stored by the data controller
  • maintaining a register (record of processing activities) for use in demonstrating compliance with the Regulation as stipulated in article 24.


In May, the incidence of email proposals for contracts between creditors and their debt collectors increased. As debt collectors are usually “data controllers”, the situation can be characterized thus:

  • Two “data controllers” established in the EU (or EEA) do not need to enter into a contractual agreement, as both parties need to abide by all EU laws and regulations, including the GDPR.
  • Two “data controllers” established outside the EU (or EEA) are not obliged to abide by the GDPR.
  • Two “data controllers” – one established in the EU (or EEA) and one outside the EU (or EEA) – are constrained to enter into a “controller-to-controller” agreement in which the non-EU partner commits to abide by the EU requirements.


The GDPR is indeed a complex text. But it is also “self-contained” in the sense that the wording of the regulation should not be interpreted according to any one member state’s own legal jurisprudence: it should be understood, rather, in accordance with its own definitions. So although the text may not be readily accessible or eminently readable, it does have its merits as a logical and coherent piece of legisation.

TCM Group members strictly abide by the requirements laid down in the GDPR.

Whether you have one claim or one thousand, please contact Ms. Sanne Mistiaen for more information on +32 16 74 52 04 or at

Mr. Etienne van der Vaeren is CEO of TCM Belgium and one of TCM Group’s honourable and distinguished directors.

TCM Group Global Debt Collection
TCM News

Recent NEWS

How cultural factor can influence business abroad
By Jefferson Frauches Viana, Way Back/TCM Brazil | Sep 30, 2021
Debt Recovery Update: A Year Like None Other – Ireland
By Jason Harte, Masson Hayes and Curran | Sep 03, 2021
How your unpaid receivables travel across countries
By Shaun Duncan, CEO TCM Group International | Jan 20, 2021
What about the health of your business partners?
By Etienne van der Vaeren, TCM Belgium | Dec 01, 2020
Debt Recovery Update A Curve Flattened?
By Jason Harte - Partner, Head of Debt Recovery, Mason Hayes & Curran/TCM Ireland | Oct 05, 2020
Impact of COVID-19 on the French economy
By Julien Proust - Chief Business Development Officer, Order To Cash/TCM France | Sep 29, 2020
By By Etienne van der Vaeren , CEO, TCM Belgium | Sep 21, 2020
By Hubert Czapiński - CEO, Debtus/TCM Poland | Sep 15, 2020
By Andreea Taralunga Law Office/TCM Romania | Sep 04, 2020
How debt collection works in the UK
By Pierre Haincourt, Credit Limits International/TCM UK | Aug 24, 2020
More News